Privacy Policy — PepperLeaf Beauty Studio

Effective Date: May 3, 2026

PepperLeaf Beauty Studio (“PepperLeaf”, “we”, “us”, or “our”) is located at 66 Kenyon Street, Nenagh, Co. Tipperary, E45 V276. We provide beauty and wellness services including massage, facials, waxing, brows, lashes, and nail treatments. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website, book an appointment, contact us, or receive communications from us.

1. Who Controls Your Data

PepperLeaf Beauty Studio is the data controller for the personal data described in this Privacy Policy.

Email: [email protected]
Address: 66 Kenyon Street, Nenagh, Co. Tipperary, E45 V276

2. Personal Data We Collect

Depending on how you interact with us, we may collect:

  • Your name, email address, and phone number
  • Booking and appointment details, including service, date, time, therapist, and notes
  • Payment-related details needed to complete a transaction, although card payments may be processed by third-party payment providers rather than stored by us directly
  • Customer notes or information you provide about preferences, requests, or appointment administration
  • Skin, allergy, sensitivity, contraindication, or other health-related information that you voluntarily provide where relevant to the safety or suitability of a treatment
  • Communications with us by email, phone, forms, SMS, or WhatsApp
  • Marketing consent preferences, including the date, time, source, and wording of the consent you gave
  • Technical information such as IP address, browser type, device information, cookie-related data, and usage information when you use our website

3. How We Collect Your Data

We collect personal data:

  • Directly from you when you book, contact us, complete a form, request a consultation, or provide treatment-related information
  • Automatically when you use our website through cookies, server logs, and similar technologies
  • From service providers involved in processing bookings, payments, communications, or hosting where relevant

4. How We Use Your Data and Our Legal Bases

We use personal data for the following purposes and rely on the following legal bases under the GDPR:

  • To manage bookings and provide services — including confirming appointments, processing reservations, arranging therapists, managing cancellations or rescheduling, handling no-shows or lateness, and delivering the treatment you requested. Legal basis: performance of a contract or steps at your request before entering a contract.
  • To send operational appointment communications — including confirmations, reminders, rescheduling messages, waiting-list contact, pre-appointment preparation messages, patch-test reminders, aftercare messages directly related to the booked treatment, and urgent service-related communications. These may be sent by email, phone, SMS, or WhatsApp where relevant to your booking. Legal basis: performance of a contract and, where appropriate, our legitimate interests in running appointments safely and efficiently.
  • To process treatment-safety information — including allergy, sensitivity, skin, or contraindication information that you choose to provide so that we can assess whether a treatment is suitable and carry it out safely. Legal basis: your explicit consent for special category data and, where relevant, the establishment, exercise, or defence of legal claims.
  • To maintain records, accounts, and legal compliance — including tax, accounting, fraud prevention, complaint handling, and legal obligations. Legal basis: compliance with legal obligations and our legitimate interests in operating the business responsibly.
  • To improve our website and services — including analytics, troubleshooting, security, and service improvement. Legal basis: our legitimate interests and, where required, consent for cookies or similar technologies.
  • To send marketing by email — including promotions, offers, seasonal campaigns, new treatment announcements, and beauty or studio updates, but only where you have opted in or where another lawful basis under applicable direct marketing rules clearly applies. Legal basis: your consent.
  • To send marketing by WhatsApp — including promotions, offers, seasonal campaigns, new treatment announcements, and beauty or studio updates, but only where you have specifically opted in. Legal basis: your consent.

5. Marketing Communications and Your Choices

Marketing consent is optional and is not required to make a booking.

If you opt in, we may send marketing messages by the channel(s) you selected, such as email and/or WhatsApp. You can withdraw marketing consent at any time by:

  • Clicking the unsubscribe link in marketing emails, where available
  • Replying to a marketing message with an opt-out request, where appropriate
  • Contacting us at [email protected]

Withdrawing marketing consent does not affect the lawfulness of processing carried out before withdrawal and does not stop us from sending operational messages needed to manage an existing booking.

6. WhatsApp Communications

If you provide a mobile number, we may use WhatsApp for operational appointment communications where relevant to your booking, for example reminders, rescheduling, lateness follow-up, or pre-appointment and aftercare information connected to the service you booked.

If you separately opt in to WhatsApp marketing, we may also use WhatsApp to send offers, promotions, new treatment announcements, and related studio updates.

WhatsApp services are provided by Meta/WhatsApp. If you communicate with us on WhatsApp or opt in to WhatsApp marketing, your phone number and message data may be processed by WhatsApp/Meta in accordance with their own terms and privacy information.

7. Who We Share Data With

We do not sell your personal data. We may share it only where necessary with:

  • Booking, scheduling, hosting, website, email, payment, analytics, and communication service providers
  • Professional advisers, insurers, or legal representatives where reasonably necessary
  • Authorities, regulators, or courts where required by law or to protect our legal rights

Where third parties process personal data for us, they do so under appropriate contractual and data-protection safeguards.

8. International Transfers

Some of our service providers may process personal data outside the European Economic Area (EEA). Where this happens, we take reasonable steps to ensure appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses, where required.

9. Data Retention

We keep personal data only for as long as reasonably necessary for the purpose for which it was collected, including to satisfy legal, tax, insurance, dispute-handling, and record-keeping requirements. Typical retention periods may include:

  • Booking and accounting records: up to 6 years, or longer if legally required
  • Marketing consent records: until consent is withdrawn, or for a reasonable period after the last meaningful interaction so that we can demonstrate consent and manage suppression lists
  • Health or treatment-suitability information: only for as long as necessary for treatment safety, record-keeping, and legal protection, taking account of the sensitivity of the data
  • General enquiries: for as long as needed to answer the enquiry and maintain appropriate business records

10. Cookies and Website Technologies

Our website may use cookies and similar technologies for core site functionality, preferences, analytics, and security. Where required by law, we will request your consent before placing non-essential cookies. You can also manage cookies through your browser settings.

11. Security

We use appropriate technical and organisational measures to help protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. However, no internet-based system is completely secure, and we cannot guarantee absolute security.

12. Your Rights

Depending on the circumstances, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request deletion of your data
  • Request restriction of processing
  • Object to processing, including direct marketing
  • Withdraw consent at any time where processing is based on consent
  • Request data portability where applicable
  • Lodge a complaint with the Irish Data Protection Commission

You can exercise your rights by contacting us at [email protected].

13. Complaints

If you have concerns about how we handle your personal data, please contact us first so we can try to resolve the issue. You also have the right to complain to the Irish Data Protection Commission:

https://www.dataprotection.ie/

14. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be published on our website with the updated effective date.